Detections
Analytics
5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Disable access to the Kubernetes API from outside the node network if it is not required.Rationale:
In a private cluster, the master node has two endpoints, a private and public endpoint. The private endpoint is the internal IP address of the master, behind an internal load balancer in the master's VPC network. Nodes communicate with the master using the private endpoint. The public endpoint enables the Kubernetes API to be accessed from outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a vulnerability could potentially expose the Kubernetes publicly with unrestricted access. Additionally, an attacker may be able to identify the current cluster and Kubernetes API version and determine whether it is vulnerable to an attack. Unless required, disabling public endpoint will help prevent such threats, and require the attacker to be on the master's VPC network to perform any attack on the Kubernetes API.
Impact:
To enable a Private Endpoint, the cluster has to also be configured with private nodes, a private master IP range and IP aliasing enabled.
If the Private Endpoint flag --enable-private-endpoint is passed to the gcloud CLI, or the external IP address undefined in the Google Cloud Console during cluster creation, then all access from a public IP address is prohibited.
Solution
Once a cluster is created without enabling Private Endpoint only, it cannot be remediated. Rather, the cluster must be recreated.Using Google Cloud Console
Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
Click CREATE CLUSTER
Configure the cluster as desired then click 'Availability, networking, security, and additional features'
Under 'Network Security' ensure the 'Private cluster' checkbox is checked
Clear the 'Access master using its external IP address' checkbox.
Configure other settings as required
Click CREATE.
Using Command Line
Create a cluster with a Private Endpoint enabled and Public Access disabled by including the --enable-private-endpoint flag within the cluster create command:
gcloud container clusters create [CLUSTER_NAME] \
--enable-private-endpoint
Setting this flag also requires the setting of --enable-private-nodes, --enable-ip-alias and --master-ipv4-cidr=[MASTER_CIDR_RANGE].
Default Value:
By default, the Private Endpoint is disabled.
See Also
Item Details
Audit Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L2
References: CSCv7|12
Plugin: GCP
Control ID: ce2917ef6717408e12959499c2d2aedb8ef0558c4cb82110bf5e300acd64b7ea